Login Sign Up

CVE-2021-37624

7.5 HIGH
Authentication Bypass

📋 TL;DR

FreeSWITCH versions before 1.10.7 do not authenticate SIP MESSAGE requests by default, allowing attackers to send spoofed chat messages to registered SIP user agents. This enables spam, social engineering, and phishing attacks by making messages appear to come from trusted sources. All FreeSWITCH deployments using default configurations are affected.

💻 Affected Systems

Products:
  • FreeSWITCH
Versions: All versions prior to 1.10.7
Operating Systems: All platforms running FreeSWITCH
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when using default configuration where auth-messages parameter is not set to true.

📦 What is this software?

Freeswitch by Freeswitch

View all CVEs affecting Freeswitch →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers spoof messages from trusted entities to conduct successful phishing campaigns, credential theft, or social engineering attacks against users.

🟠

Likely Case

Spam messages sent to SIP endpoints, potentially disrupting communications and enabling basic social engineering attempts.

🟢

If Mitigated

With authentication enabled, only authenticated users can send MESSAGE requests, preventing spoofing and unauthorized messaging.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple SIP MESSAGE requests can be sent without authentication using standard SIP tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.10.7

Vendor Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-mjcm-q9h8-9xv3

Restart Required: Yes

Instructions:

1. Backup configuration files. 2. Upgrade to FreeSWITCH 1.10.7 or later. 3. Restart FreeSWITCH service. 4. Verify authentication is working for MESSAGE requests.

🔧 Temporary Workarounds

Enable SIP MESSAGE authentication

all

Set auth-messages parameter to true in SIP profile configuration

Edit sip_profiles/internal.xml or external.xml
Add or modify: <param name="auth-messages" value="true"/>
fs_cli -x "reloadxml"
fs_cli -x "sofia profile internal restart"

🧯 If You Can't Patch

  • Implement network-level controls to restrict SIP MESSAGE traffic to trusted sources only
  • Deploy SIP-aware firewall or IDS/IPS to detect and block unauthenticated MESSAGE requests

🔍 How to Verify

Check if Vulnerable:

Check FreeSWITCH version and verify auth-messages parameter is not set to true in SIP profiles

Check Version:

fs_cli -x "version"

Verify Fix Applied:

After upgrade, verify version is 1.10.7+ and test that unauthenticated SIP MESSAGE requests are rejected

📡 Detection & Monitoring

Log Indicators:

  • SIP MESSAGE requests from unauthenticated sources in FreeSWITCH logs
  • Failed authentication attempts for MESSAGE requests

Network Indicators:

  • SIP MESSAGE packets to port 5060/5061 without authentication headers
  • Unusual spike in MESSAGE traffic

SIEM Query:

source="freeswitch.log" AND "MESSAGE" AND NOT "auth"

📊 Metadata

CVE ID: CVE-2021-37624
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-287
Published: October 25, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37624, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)